Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Portscan from own interface

From: "John Berkers" <berjo () ozemail com au>
Date: Wed, 16 May 2001 22:48:02 +1000
Depending on the type of firewall being used, and whether it proxies HTTP
traffic, traffic that is passing through the firewall may in fact look like
it is originating at the firewall.

As for anti-spoofing, this again depends on your firewall software.

In firewall-1 you need to edit the network object in question (a firewall),
and specify valid addresses for each of the interfaces.  There is a standard
set of choices: All, Other, Other + Specify extra, selected addresses.

Other actually refers to addresses on the other interfaces, eg. you should
not expect to see traffic that belongs on the network of interface 1 on the
network connected to interface 2.

Have a look through your firewall documentation for more information.

If you are trying to set up anti-spoofing on a Linux box, using IPChains or
IPTables the simplest thing would be to drop all traffic on eth0 that should
only be arriving on eth1 and vice versa.

Hope I didn't lose anyone there.

John

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Subba Rao
Sent: Wednesday, 16 May 2001 15:38
To: Midnight shadow
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Portscan from own interface


On  0, Midnight shadow <p.selder () freeler nl> wrote:


I noticed someting stange in the snort-log file. I got a portscan from the
external interface from my firewall. Normally the offending hosts is

logged,

but now my external ip is listed.

What can be the cause? Spoofing of some kind?
The next line are only a few from the messages log.

May 10 09:01:01 proxy snort[17307]: spp_portscan: portscan status from
x.x.x.x: 2 connections across 2 hosts: TCP(1), UDP(1)
May 10 09:01:05 proxy snort[17307]: spp_portscan: portscan status from
x.x.x.x: 1 connections across 1 hosts: TCP(0), UDP(1)
May 10 09:01:15 proxy last message repeated 2 times

x.x.x.x is the ip of the external interface.
I'm running snort 1.8 beta on redhat 7.0 i386



I am seeing similar messages in my snort logs. I hope it is only spoofing
and
not that my machine has been compromised.

[**] spp_portscan: portscan status from x.x.x.x: 1 connections across 1
hosts: TCP(1), UDP(0) [**]
05/16-05:19:37.397711

How can I set up anti-spoofing controls on my machine?

TIA.

--

Subba Rao
subba9 () home com
http://members.home.net/subba9/

GPG public key ID 27FC9217

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: